nixos/modules/security/polkit.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / security / polkit.nix
at 23.11-pre 3.4 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6
  7  cfg = config.security.polkit;
  8
  9in
 10
 11{
 12
 13  options = {
 14
 15    security.polkit.enable = mkEnableOption (lib.mdDoc "polkit");
 16
 17    security.polkit.debug = mkEnableOption (lib.mdDoc "debug logs from polkit. This is required in order to see log messages from rule definitions");
 18
 19    security.polkit.extraConfig = mkOption {
 20      type = types.lines;
 21      default = "";
 22      example =
 23        ''
 24          /* Log authorization checks. */
 25          polkit.addRule(function(action, subject) {
 26            // Make sure to set { security.polkit.debug = true; } in configuration.nix
 27            polkit.log("user " +  subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
 28          });
 29
 30          /* Allow any local user to do anything (dangerous!). */
 31          polkit.addRule(function(action, subject) {
 32            if (subject.local) return "yes";
 33          });
 34        '';
 35      description = lib.mdDoc
 36        ''
 37          Any polkit rules to be added to config (in JavaScript ;-). See:
 38          http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
 39        '';
 40    };
 41
 42    security.polkit.adminIdentities = mkOption {
 43      type = types.listOf types.str;
 44      default = [ "unix-group:wheel" ];
 45      example = [ "unix-user:alice" "unix-group:admin" ];
 46      description = lib.mdDoc
 47        ''
 48          Specifies which users are considered “administrators”, for those
 49          actions that require the user to authenticate as an
 50          administrator (i.e. have an `auth_admin`
 51          value).  By default, this is all users in the `wheel` group.
 52        '';
 53    };
 54
 55  };
 56
 57
 58  config = mkIf cfg.enable {
 59
 60    environment.systemPackages = [ pkgs.polkit.bin pkgs.polkit.out ];
 61
 62    systemd.packages = [ pkgs.polkit.out ];
 63
 64    systemd.services.polkit.serviceConfig.ExecStart = [
 65      ""
 66      "${pkgs.polkit.out}/lib/polkit-1/polkitd ${optionalString (!cfg.debug) "--no-debug"}"
 67    ];
 68
 69    systemd.services.polkit.restartTriggers = [ config.system.path ];
 70    systemd.services.polkit.stopIfChanged = false;
 71
 72    # The polkit daemon reads action/rule files
 73    environment.pathsToLink = [ "/share/polkit-1" ];
 74
 75    # PolKit rules for NixOS.
 76    environment.etc."polkit-1/rules.d/10-nixos.rules".text =
 77      ''
 78        polkit.addAdminRule(function(action, subject) {
 79          return [${concatStringsSep ", " (map (i: "\"${i}\"") cfg.adminIdentities)}];
 80        });
 81
 82        ${cfg.extraConfig}
 83      ''; #TODO: validation on compilation (at least against typos)
 84
 85    services.dbus.packages = [ pkgs.polkit.out ];
 86
 87    security.pam.services.polkit-1 = {};
 88
 89    security.wrappers = {
 90      pkexec =
 91        { setuid = true;
 92          owner = "root";
 93          group = "root";
 94          source = "${pkgs.polkit.bin}/bin/pkexec";
 95        };
 96      polkit-agent-helper-1 =
 97        { setuid = true;
 98          owner = "root";
 99          group = "root";
100          source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
101        };
102    };
103
104    systemd.tmpfiles.rules = [
105      # Probably no more needed, clean up
106      "R /var/lib/polkit-1"
107      "R /var/lib/PolicyKit"
108    ];
109
110    users.users.polkituser = {
111      description = "PolKit daemon";
112      uid = config.ids.uids.polkituser;
113      group = "polkituser";
114    };
115
116    users.groups.polkituser = {};
117  };
118
119}
120